darkcomet | 59eac3ebcb0b93694f43aa7213d3036c9e3587e1fce63744cbb8beb093d833d1 | Triage

Submit
Reports

Overview

overview

Static

static

3

6624413f83...18.exe

windows7-x64

6624413f83...18.exe

windows10-2004-x64

Sharing

General

Target

6624413f838f9ff1d8c1a09d657eb805_JaffaCakes118
Size

1.1MB
Sample

241021-kd64jawhld
MD5

6624413f838f9ff1d8c1a09d657eb805
SHA1

7e238c72e3573c24776ce89aa680db30d958af1b
SHA256

59eac3ebcb0b93694f43aa7213d3036c9e3587e1fce63744cbb8beb093d833d1
SHA512

cb36a595ac90140cbdbd717d0d95419b329f0c9b503b9dd58e0899093a086c24a28b797904d6a02c21c5485e2e05c0769e459282178fffbff4c6fcef1ed6565b
SSDEEP

24576:RSfuBlnZG4dKG3f6Pwrv+xCF7fuJf3IFDMYX:cGBtZG4dJ3f6Pu+xC0fIFDMw

Score

10^/10

darkcomet discovery persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6624413f838f9ff1d8c1a09d657eb805_JaffaCakes118.exe

Resource

win7-20240903-en

darkcomet discovery persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

6624413f838f9ff1d8c1a09d657eb805_JaffaCakes118.exe

Resource

win10v2004-20241007-en

darkcomet discovery persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  6624413f838f9ff1d8c1a09d657eb805_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  6624413f838f9ff1d8c1a09d657eb805
- SHA1
  
  7e238c72e3573c24776ce89aa680db30d958af1b
- SHA256
  
  59eac3ebcb0b93694f43aa7213d3036c9e3587e1fce63744cbb8beb093d833d1
- SHA512
  
  cb36a595ac90140cbdbd717d0d95419b329f0c9b503b9dd58e0899093a086c24a28b797904d6a02c21c5485e2e05c0769e459282178fffbff4c6fcef1ed6565b
- SSDEEP
  
  24576:RSfuBlnZG4dKG3f6Pwrv+xCF7fuJf3IFDMYX:cGBtZG4dJ3f6Pu+xC0fIFDMw
Score

10^/10

darkcomet discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoverypersistencerattrojan

behavioral2

darkcometdiscoverypersistencerattrojan

© 2018-2024

Terms | Privacy